Wednesday, May 1, 2013

selinux


  • # getenforce
    # setenforce 0
  • list selinux file context, with Z option
    • ls -Z
    • id -Z
    • ps -eaZ | grep httpd
    • stat -c "%a %n" <file-name>
    • getfattr -n security.selinux <file-name>
  • change security context (like chmod) There are two commands that you can use for setting your content type: with chcon you can make a temporary change—which disappears after a reboot—and with semanage, followed by restorecon, you can make the changes permanent. semanage requires full path to the file and restorecon does not require full path
    • chcon -R -t postgresql_db_t /data
    • semanage fcontext -a -t postgresql_db_t "/data(/.*)?"; restorecon -R -v /data
    • semanage fcontext -l
  • set default contexts
    • restorecon -Rv /srv/www
    • restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0
  • audit2allow translate the selinux error/warning log into rules. semodule load the rule:
    #grep sendmail /var/log/audit/audit.log | audit2allow -M myrule
    #semodule -i myrule.pp
  • chconchcon is used to label a file or files with a specified security context.
    checkpolicycheckpolicy is a tool used to compile policy sources into a binary policy file. Generally it is not called directly, but invoked by the policy's Makefile. See Section 4.4 for more details on compiling SELinux policy.
    fixfilesfixfiles can be used to relabel the entire filesystem based on the current policy, or to relabel a packaged application's files based on the information included in that application's rpm package.

    The command touch /.autorelabel can also be used to relabel the entire filesystem upon the next reboot of the system.

    getenforce
    getenforce returns the current enforcement state of the SELinux system, either permissive or enforcing. The permissive state will log denials but not actually enforce them, which can be very useful during policy development. The normal production state should always be enforcing.

    newrole
    The newrole command is used to switch roles. Typically the command would be issued as newrole -r sysadm_r to transition to the sysadm_r role for system administration tasks.

    restorecon
    restorecon is used to relabel selected files back to their default context, as defined in the security policy.

    run_init
    Rather than starting daemons by running the appropriate script in /etc/init.d, you must use run_init and pass the script path and arguments on its command line. This is required to perform the proper security transitions so that the daemon runs under its proper security context.

    sestatus
    sestatus displays the current status of SELinux, including the status (either permissive or enforcing), policy version, and the settings of all policy booleans.

    setenforce
    setenforce is used to toggle the SELinux status between enforcing and permissive. Issue setenforce 0 to enter permissive mode, or setenforce 1 to enter enforcing mode.

    setsebool
    setsebool is used to toggle policy booleans on or off. See Section 4.5 for an explanation of policy booleans.

    seuser
    seuser is used to create, delete, and modify SELinux users and roles. These are not to be confused with normal Linux user accounts.


when going from Disabled mode to Permissive or Enforcing mode, SELinux will have to re-label the entire filesystem (effectively running "estorecon /) because contexts are not set at all when SELinux is disabled.

/etc/sysconfig/selinux

. find out where is semanage
# yum provides /usr/sbin/semanage